Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Identity intelligence and AI agents: what IAM teams need now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9439
Topic starter  

TL;DR: Identity attacks account for over 80% of breaches, and Lumos argues that visibility alone cannot keep pace with growing permission sprawl, delegated access, and AI agents that operate at machine speed. The harder problem is not seeing access, but deciding what matters and acting on it before over-privilege expands the blast radius.

NHIMG editorial — based on content published by Lumos: Why Identity Needs Intelligence, Not Just Visibility

By the numbers:

Questions worth separating out

Q: How should security teams turn identity visibility into usable governance?

A: Security teams should use visibility as an input, not an endpoint.

Q: Why do AI agents make least-privilege access harder to enforce?

A: AI agents can exercise delegated permissions at machine speed, so a single entitlement can create faster and wider impact than the same access used by a human.

Q: What do IAM teams get wrong about access review programs?

A: Teams often assume that review means control, but review only works when reviewers have enough context to make a real decision.

Practitioner guidance

  • Map where visibility ends and decisioning begins Inventory the points in your identity programme where teams can see access but still cannot decide whether it should remain.
  • Evaluate delegated access by execution model Separate human-operated access from access exercised by AI agents or other non-human actors.
  • Build context-rich identity data models Connect identity, entitlement, usage, and policy data so automation can reason over relationships rather than isolated records.

What's in the full article

Lumos's full article covers the operational detail this post intentionally leaves for the source:

  • How the vendor defines identity visibility and intelligence as separate layers in its product model
  • Examples of AI agents for role mining, entitlement analysis, and access review prioritisation
  • The context engineering model used to make identity recommendations more specific to the environment
  • How the vendor positions continuous feedback loops between findings, approvals, and remediation

👉 Read Lumos's analysis of why identity needs intelligence, not just visibility →

Identity intelligence and AI agents: what IAM teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8923
 

Visibility without decisioning is not identity governance. The article correctly separates inventory from action, and that is the right line to draw for modern identity programmes. Teams already know they have too many permissions, too much drift, and too little time to review it manually. The field-level problem is not discovery anymore. It is that discovery has outgrown human review capacity, so governance stops at observation unless the system can prioritise and act. Practitioners should treat intelligence as the operational layer that makes identity controls enforceable.

A few things that frame the scale:

  • The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
  • Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.

A question worth separating out:

Q: Who should own identity intelligence in an enterprise?

A: Identity intelligence should sit with the team that governs identity lifecycle and access risk, not as a side project for a data science group. The owner needs authority to connect discovery, prioritisation, and remediation across humans, NHI, and delegated agent access, because that is where the operational decisions happen.

👉 Read our full editorial: Identity intelligence is becoming essential for least-privilege access



   
ReplyQuote
Share: